It seems like just about every mobile app you install these days requests access to your location data. Most seem to have some valid use for that information, and sharing location information makes the app more useful, so why not? Even though you may not be worried about sharing your location with the app, a presentation at Shmoocon this weekend will demonstrate how poor coding in mobile apps could expose your location to anyone.
Colby Moore, a security research engineer with Synack, and Patrick Wardle, director of research for Synack, are scheduled to present a session titled There’s Waldo! Tracking Users via Mobile Apps on Saturday at noon. The abstract for the session claims that the Synack researchers were able to track and pinpoint the locations of tens of thousands of users. They were able to detect location in real-time, as well as uncover patterns and schedules and, in some cases, even determine the exact identity of the user.
Much of the research revolves around the Grindr app—a dating app used by gay and bisexual men to meet other interested parties. Synack shared the concerning issues with Grindr but, as my peer Steve Ragan wrote in September of last year, nothing was done to correct the issue until it was discovered that authorities in Egypt were leveraging the flaw to enforce anti-gay laws.
The Synack researchers plan to talk about common classes of geolocation bugs and illustrate how developers often use location data in an insecure manner. Some geolocation APIs default to the highest level of accuracy, enabling them to reveal the precise location of the device.
Using location data combined with knowledge of specific location—such as addresses of the homes or offices of politicians, athletes, or movie stars—Synack was even able to determine the exact identities of many mobile device users. Flaws like the ones Synack plans to demonstrate can potentially put lives at risk. If Synack researchers can track people using insecure location tracking data, then so can potential attackers.
The problems of poor coding and insecure handling of location data is not limited to the Grindr app, though. I took a look at my own iPhone and found that there are 26 apps I’ve authorized to access my location data. The vast majority specify that location data is only used while the app is active, but four of the authorized apps are always tracking my location.
One solution would be to disable the location tracking feature on your mobile device. But, if you do that you also give up the benefits and value that come with sharing that information. Thankfully, you don’t have to go that far if app developers just adhere to more secure coding practices.
Moore and Wardle will recommend specific best practices that app developers should employ to protect users, such as precision limiting of geolocation data and limiting the speed and magnitude of user location changes to prevent attackers from harvesting the precise distance of a device from arbitrary points.
If you happen to be attending Shmoocon, and you have an opportunity to attend this session comment here to share your thoughts.